[web] [SOLVED] PHP - Disabling magic_quotes_gpc not seeming to work
Author
[New Problem]
Can't get magic_quotes to turn off... See my second post.
[Old - PHP - Safe form processing - "escaped characters"]
I'm just now getting into this area: What's the safest way to parse a string from PHP to make it compatible with the value attribute in an input field? Does htmlspecialchars() work with it, or not? [Haven't tested it yet] I notice that sometimes on this forum, the HTML escape sequences are left on the editor... (Or at least I noticed it a couple of times a little while ago).
Looking on here, though, it seems to work...
Plus, why is it that PHP automatically adds escaped characters to $_POST variables?
What I mean is, when I submit text that would evaluate to "Stuff with \"quotes\"", what I would get on the receiving script would be "Stuff with \\\"quotes\\\"", and so on.
Is this an option in php.ini? I know it happens on both my test server and the actual server that I'm working with.
[Ignore this part - I'm screwing around with the textarea]
<< >> < > " '
Right above this, when I edited it, it stil displays the tag-chars (< and >) with their escape sequences.
[Edited by - deadimp on April 23, 2007 7:01:13 PM]
PHP has this much hated feature called magic quotes that will automatically escape characters in your strings. It's not same as using a DB specific escape function, such as mysql_real_escape_string(), pg_escape_string(), etc. Not everyone likes having the strings escaped already since there may be other actions that need to be taken with the text as is.
The feature in php.ini is called magic_quotes and is on by default (unless your web host has disabled it).
You use htmlentities() and htmlspecialchars() when you output HTML. You would typically do this when printing out data that could store characters, such as an ampersand (&) and want to have valid HTML characters. I wouldn't recommend doing this for the information that is stored in the database. The differences between the two can be found on PHP's website.
Also, any function for php can be looked up by typing php.net/[function_name]
Keep this in mind the next time you are thinking of a function but can't recall where you're supposed to specify what argument (some PHP functions mixes the order).
The feature in php.ini is called magic_quotes and is on by default (unless your web host has disabled it).
You use htmlentities() and htmlspecialchars() when you output HTML. You would typically do this when printing out data that could store characters, such as an ampersand (&) and want to have valid HTML characters. I wouldn't recommend doing this for the information that is stored in the database. The differences between the two can be found on PHP's website.
Also, any function for php can be looked up by typing php.net/[function_name]
Keep this in mind the next time you are thinking of a function but can't recall where you're supposed to specify what argument (some PHP functions mixes the order).
Author
I had the function pulled up on the manual, I just hadn't used it that much before and needed to know if there were any better alternatives... [Insert additional hypocritical self-justification]
As for my database stuff, I have the form encode the string appropriately (whether for the value attr, or for the textarea tag), and then on submission I decode the string in the same way. On it's way to the database query, I then encode it for a mysql-safe string.
Thanks for the pointers.
Gotta go change that frickin' INI value.
[New Problem]
Huh... Can't change it. I've tried changing php.ini and restarting Apache, and I've tried 'ini_set' in the script, neither showed any difference when I pulled up 'phpinfo()'....
I've looked at the documentation, and I've set 'magic_quotes_sysbase' to false, so it shouldn't be overriding it (that's actually showing up in the config).
[Edited by - deadimp on April 20, 2007 10:56:45 PM]
As for my database stuff, I have the form encode the string appropriately (whether for the value attr, or for the textarea tag), and then on submission I decode the string in the same way. On it's way to the database query, I then encode it for a mysql-safe string.
Thanks for the pointers.
Gotta go change that frickin' INI value.
[New Problem]
Huh... Can't change it. I've tried changing php.ini and restarting Apache, and I've tried 'ini_set' in the script, neither showed any difference when I pulled up 'phpinfo()'....
I've looked at the documentation, and I've set 'magic_quotes_sysbase' to false, so it shouldn't be overriding it (that's actually showing up in the config).
[Edited by - deadimp on April 20, 2007 10:56:45 PM]
What OS are you running? Are you sure you're editing the correct php.ini file? I know that with XAMPP installs on Windows, there are four or five php.ini files, with the correct one being located in a sub folder that is under apache.
If you're using Linux and not the XAMPP package, then it can vary on where the file is located. If you're running Linux, type "locate php.ini" and it will give you all instances of that file on the system. If you're running windows, search your system for that file as well (If you're using XAMPP, it's under the apache/something folder).
If you're using Linux and not the XAMPP package, then it can vary on where the file is located. If you're running Linux, type "locate php.ini" and it will give you all instances of that file on the system. If you're running windows, search your system for that file as well (If you're using XAMPP, it's under the apache/something folder).
Original post by deadimp
Plus, why is it that PHP automatically adds escaped characters to $_POST variables?
quote]
You mean $_GET?
Since I'm really not sure what you are doing (an example would be best) have you tried just using the stripslashes / addslashes functions?
Author
I'm using Xampp on Windows, and I'm fairly certain that the php.ini file used is in xampp\php\php.ini (running PHP 5).
markadrake >> Well, technically $_GET, $_POST, and $_COOKIE.
I'm just using simple forms:
For now, I'm using those two functions, but I guess it would be better for me if I didn't have to worry about stripslashes when retrieving something via post. Since I can't do it on my local server, I'll have to make sure it's still On on the server I'm working with.
Ah, forgot to metion, the flag is "magic_quotes_gpc"... Not sure what it is on PHP 4.x.
markadrake >> Well, technically $_GET, $_POST, and $_COOKIE.
I'm just using simple forms:
Form:<form action='file.php' method='post'><input name='title' value='Title'><br><textarea name='desc'>Stuff goes here<br></form>file.php:if ($_POST["title"]) { $title=...; //register_globals is disabled}For now, I'm using those two functions, but I guess it would be better for me if I didn't have to worry about stripslashes when retrieving something via post. Since I can't do it on my local server, I'll have to make sure it's still On on the server I'm working with.
Ah, forgot to metion, the flag is "magic_quotes_gpc"... Not sure what it is on PHP 4.x.
Author
Aw, crap. Stupid, stupid, stupid me.
I forgot that phpinfo() listed where the config file was, and I was too ign'ant to look there.
Ends up it was in the bin directory of apache.
Thanks for the help.
[Edited by - deadimp on April 22, 2007 5:12:22 PM]
I forgot that phpinfo() listed where the config file was, and I was too ign'ant to look there.
Ends up it was in the bin directory of apache.
Thanks for the help.
[Edited by - deadimp on April 22, 2007 5:12:22 PM]
See? I told you it was under a sub folder of apache! I had to make this exact change on Thursday in the same scenario [smile]
magic_quotes_gpc might well be enabled on your production server - and you might not be able to disable it via the ini file!
My preferred fix is to leave it on in the server configuration, but to add a .htaccess file to the site root containing the line:
My preferred fix is to leave it on in the server configuration, but to add a .htaccess file to the site root containing the line:
php_flag magic_quotes_gpc offThis topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
